-- © 2008 Daniel Pistelli. All rights reserved. -- Section Comparing Script 1.0.0.1 -- prints an error message function Err(str) MsgBox(str, strTitle, MB_ICONEXCLAMATION) end -- prints string to the current report and goes to new line function AddToReport(str) -- we can do this because hReport is a global variable LogPrint(hReport, str .. "\n") end -- -------------------------------------------------- -- the main code starts here -- -------------------------------------------------- strTitle = "Section Comparer Script" local filename1 = GetOpenFile("Select first PE...", "All\n*.*\nExe Files\n*.exe\nDll Files\n*.dll\n") if filename1 == null then return end local hPE1 = OpenFile(filename1) if hPE1 == null then Err("Couldn't open first file.") return end local filename2 = GetOpenFile("Select second PE...", "All\n*.*\nExe Files\n*.exe\nDll Files\n*.dll\n") if filename2 == null then return end local hPE2 = OpenFile(filename2) if hPE2 == null then Err("Couldn't open second file.") return end local nSectToComp = tonumber(InputBox("Section To Compare", "Insert the decimal and 0-based number of the section to compare.")) if nSectToComp == null then Err("The inserted number is not a valid decimal value") return end if nSectToComp > GetNumberOfSections(hPE1) - 1 or nSectToComp > GetNumberOfSections(hPE2) - 1 then Err("The inserted section exceeds the number of sections available") return end local SectHdrsOffset1 = GetOffset(hPE1, PE_SectionHeaders) + nSectToComp * IMAGE_SIZEOF_SECTION_HEADER local SectHdrsOffset2 = GetOffset(hPE2, PE_SectionHeaders) + nSectToComp * IMAGE_SIZEOF_SECTION_HEADER -- I read the virtual locations because they are more reliable local SectRVA1 = ReadDword(hPE1, SectHdrsOffset1 + 12) local SectRVA2 = ReadDword(hPE2, SectHdrsOffset2 + 12) local SectSize1 = ReadDword(hPE1, SectHdrsOffset1 + 8) local SectSize2 = ReadDword(hPE2, SectHdrsOffset2 + 8) local SectOffset1 = RvaToOffset(hPE1, SectRVA1) local SectOffset2 = RvaToOffset(hPE2, SectRVA2) if SectOffset1 == null or SectOffset2 == null then Err("Can't retrieve the sections offsets") return end if SectSize1 == 0 or SectSize2 == 0 then Err("One of the sections has a size of zero.") return end Sect1 = ReadBytes(hPE1, SectOffset1, SectSize1) Sect2 = ReadBytes(hPE2, SectOffset2, SectSize2) -- Get report name and create the file repname = GetSaveFile("Save Report As..", "Text File\n*.txt\n") if repname == null then return end hReport = CreateLog(repname) if hReport == null then return end AddToReport("Comparision between section " .. nSectToComp .. " of \n" .. filename1 .. "\nand\n" .. filename2 .. "\n\n" .. "Differences found at:\n\n" .. "RVA1 RVA2\n") -- ask if the IATs should be excluded from the comparision local IATRva1 = ReadDword(hPE1, GetOffset(hPE1, PE_DataDirectories) + (IMAGE_DIRECTORY_ENTRY_IAT * 8)) local IATSize1 = ReadDword(hPE1, GetOffset(hPE1, PE_DataDirectories) + (IMAGE_DIRECTORY_ENTRY_IAT * 8) + 4) local IATRva2 = ReadDword(hPE2, GetOffset(hPE2, PE_DataDirectories) + (IMAGE_DIRECTORY_ENTRY_IAT * 8)) local IATSize2 = ReadDword(hPE2, GetOffset(hPE2, PE_DataDirectories) + (IMAGE_DIRECTORY_ENTRY_IAT * 8) + 4) local IATOffset1 = 0 local IATOffset2 = 0 if (IATRva1 and IATSize1) or (IATRva2 and IATSize2) then nRet = MsgBox("Exclude Import Address Tables?", strTitle, MB_ICONQUESTION | MB_YESNO) if nRet == IDYES then if IATRva1 then IATOffset1 = RvaToOffset(hPE1, IATRva1) - SectOffset1 else IATSize1 = 0 end if IATRva2 then IATOffset2 = RvaToOffset(hPE2, IATRva2) - SectOffset2 else IATSize2 = 0 end else IATSize1 = 0 IATSize2 = 0 end else IATSize1 = 0 IATSize2 = 0 end -- number of bytes to compare local nBytes = SectSize1 if nBytes > SectSize2 then nBytes = SectSize2 end -- start comparision loop local nDiff = 0 for i = 0, nBytes - 1 do if ((i < IATOffset1) or (i >= IATOffset1 + IATSize1)) and ((i < IATOffset2) or (i >= IATOffset2 + IATSize2)) then if Sect1[i] != Sect2[i] then -- report difference AddToReport( string.format("%08X", OffsetToRva(hPE1, SectOffset1 + i)) .. " " .. string.format("%08X", OffsetToRva(hPE2, SectOffset2 + i)) ) nDiff = nDiff + 1 end end end AddToReport("\nNumber of differences found: " .. nDiff) MsgBox("Comparision successfully processed.", strTitle, MB_ICONINFORMATION)